Confirm
1,018
edits
Changes
→Using EYAML
Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves.
To encrypt a new password, as root on an *[https://wiki.mozilla.org/ReleaseEngineering/Puppet#Masters authoritative* puppetmaster], use:
eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \
